Delaware
DPDPA Consumer Rights: Delaware Data Privacy

Under the Delaware Personal Data Privacy Act (DPDPA), Del. Code tit. 6, ch. 12D, a Delaware resident can confirm whether a business is processing their personal data and access it, correct inaccuracies, delete data, obtain a portable copy, get a list of the categories of third parties that received their data, and opt out of targeted advertising, the sale of personal data, and certain profiling. These rights are set out in § 12D-104(a) and took effect January 1, 2025.
A controller must respond to a rights request within 45 days under § 12D-104(c), with one 45-day extension when reasonably necessary, and must offer an appeal process under § 12D-104(d). As of January 1, 2026, controllers must also honor a universal opt-out preference signal such as Global Privacy Control under § 12D-106(e). The Delaware Department of Justice enforces these rights, and there is no private right of action.
Jurisdiction scope: This covers Delaware's Personal Data Privacy Act (Del. Code tit. 6, ch. 12D). It is general legal information, not legal advice.
The five core data rights
The DPDPA grants Delaware consumers a full slate of data rights in § 12D-104(a). These rights apply to covered controllers, meaning businesses that meet the applicability thresholds in § 12D-103.
The right to access, in § 12D-104(a)(1), lets a consumer confirm whether a controller is processing the consumer's personal data and access that data. The right to correct, in § 12D-104(a)(2), lets a consumer correct inaccuracies, taking into account the nature of the personal data and the purposes of processing.
The right to delete, in § 12D-104(a)(3), is broad: a consumer may delete personal data provided by or obtained about the consumer. That reaches beyond data the consumer supplied directly to data the business obtained from other sources. The right to data portability, in § 12D-104(a)(4), lets a consumer obtain a copy of their personal data in a portable and, to the extent technically feasible, readily usable format.
For the full controller obligations behind these rights, see the Delaware data privacy laws parent page.
The categories-of-third-parties list right
A distinct DPDPA right lets consumers see where their data has traveled. Under § 12D-104(a)(5), a consumer may obtain a list of the categories of third parties to which the controller has disclosed the consumer's personal data.
This is a category-level disclosure. A controller discloses groups of recipients, such as advertising networks, analytics providers, or payment processors, rather than every individually named company. Even so, it gives consumers a structured view of the controller's data sharing and forces businesses to track and maintain their disclosure categories.
To answer these requests accurately, a controller needs a data map that records which categories of vendors and partners receive which data. Businesses that have not inventoried their downstream sharing will struggle to respond within the statutory deadline.
The three opt-out rights
Section 12D-104(a)(6) gives consumers three opt-out rights. Under § 12D-104(a)(6)(a), a consumer may opt out of the processing of personal data for purposes of targeted advertising. Under § 12D-104(a)(6)(b), a consumer may opt out of the sale of personal data. Under § 12D-104(a)(6)(c), a consumer may opt out of profiling in furtherance of solely automated decisions that produce legal or similarly significant effects.
The profiling opt-out is narrow by design. It reaches automated decisions with legal or similarly significant effects, such as decisions affecting access to financial services, housing, employment, or similar outcomes. Routine ad personalization that does not produce such effects falls under the targeted-advertising opt-out instead.
Delaware's definition of "sale" is broad. It covers the exchange of personal data for monetary or other valuable consideration, which means data sharing that produces non-cash value can still count as a sale and trigger the opt-out.

Response deadlines, extensions, and authentication
A controller must respond to a consumer rights request promptly. Under § 12D-104(c)(1), the controller must respond without undue delay and in any case not later than 45 days after receiving the request. The controller may extend that period by an additional 45 days when reasonably necessary, considering the complexity and number of requests, as long as it informs the consumer of the extension and the reason for it within the initial 45-day window.
If a controller declines to act, it must tell the consumer why within that response period and explain how to appeal. A controller may decline to act on a request it cannot authenticate using commercially reasonable efforts, and in that situation it is not required to comply but may ask the consumer for information reasonably necessary to authenticate the request.
Responses must generally be provided free of charge, up to twice annually per consumer. If requests are manifestly unfounded, excessive, or repetitive, the controller may charge a reasonable fee or decline to act, and it bears the burden of demonstrating that character.
The appeal process
The DPDPA requires controllers to build an appeal path for consumers whose requests are denied. Under § 12D-104(d), a controller must establish a process for a consumer to appeal the controller's refusal to take action on a request. The appeal process must be conspicuously available and similar to the process for submitting the original request.
Within 60 days of receiving an appeal, the controller must inform the consumer in writing of any action taken or not taken in response, along with a written explanation of the reasons. If the controller denies the appeal, it must also provide the consumer with a way to contact the Delaware Department of Justice to submit a complaint.
That referral to the regulator is a practical backstop. A consumer who believes a controller wrongly denied a rights request can escalate the matter to the enforcer rather than relying only on the controller's internal review.

The universal opt-out mechanism, effective January 1, 2026
Delaware requires controllers to honor a browser-level or device-level opt-out signal. Under § 12D-106(e), not later than January 1, 2026, a controller that processes personal data for targeted advertising or sells personal data must allow consumers to opt out through an opt-out preference signal sent by a platform, technology, or mechanism, such as Global Privacy Control.
The universal opt-out mechanism lets a consumer set a single signal in their browser or device that automatically communicates an opt-out to every site they visit, rather than clicking an opt-out link on each one. As of 2026, this requirement is in force, so covered businesses must detect and respect the signal.
When the signal conflicts with a setting the consumer affirmatively chose, the law allows the controller to notify the consumer and let them confirm the conflicting choice, but the default is to treat a recognized signal as a valid opt-out.
Teen protections for ages 13 to 17
The DPDPA adds a protection for older minors that goes beyond the general opt-in for children's data. Under § 12D-106(a)(7), where a controller has actual knowledge, or willfully disregards, that a consumer is at least 13 but younger than 18 years of age, the controller may not process that consumer's personal data for purposes of targeted advertising, or sell that personal data, without the consumer's consent.
This shifts the default for the 13-to-17 age band from opt-out to opt-in for targeted advertising and sale. A business that knows a user is a teenager, or that ignores clear signs of it, cannot rely on the teen's failure to opt out. It must obtain affirmative consent first.
This is separate from the rule for known children under 13, whose sensitive data and personal data are governed by the consent requirements in § 12D-106(a)(4) and related federal children's privacy law.
Rights and deadlines at a glance
| Right or step | Statute | Key detail |
|---|---|---|
| Access | § 12D-104(a)(1) | Confirm and access personal data |
| Correct | § 12D-104(a)(2) | Fix inaccuracies |
| Delete | § 12D-104(a)(3) | Data provided by or obtained about the consumer |
| Portability | § 12D-104(a)(4) | Portable, readily usable copy |
| Third-party categories list | § 12D-104(a)(5) | Categories of third parties that received data |
| Opt out of ads, sale, profiling | § 12D-104(a)(6) | Targeted ads, sale, significant-effect profiling |
| Response deadline | § 12D-104(c)(1) | 45 days, plus one 45-day extension |
| Appeal response | § 12D-104(d) | 60 days, with DOJ complaint referral |
| Universal opt-out signal | § 12D-106(e) | Required by January 1, 2026 |
More Delaware Laws
- Delaware AI Meeting Recording Laws
- Delaware Alimony Laws
- Delaware At-Will Employment Laws
- Delaware Car Accident Laws
- Delaware Car Seat Laws
- Delaware Child Custody Laws
- Delaware Child Support Laws
- Delaware Common Law Marriage Laws
- Delaware Deepfake Laws
- Delaware Divorce Laws
- Delaware Dog Bite Laws
- Delaware Emancipation Laws
- Delaware Expungement Laws
- Delaware Hit and Run Laws
- Delaware Landlord-Tenant Laws
- Delaware Lemon Laws
Related guides
Frequently Asked Questions
What rights do Delaware consumers have under the DPDPA?
Under section 12D-104(a), Delaware consumers can confirm and access their personal data, correct inaccuracies, delete data provided by or obtained about them, obtain a portable copy, get a list of the categories of third parties to which the controller disclosed their data, and opt out of targeted advertising, the sale of personal data, and profiling that produces legal or similarly significant effects. These rights took effect January 1, 2025.
How long does a business have to respond to a DPDPA request?
Under section 12D-104(c)(1), a controller must respond without undue delay and not later than 45 days after receiving the request. The controller may extend that period by an additional 45 days when reasonably necessary, as long as it notifies the consumer of the extension and the reason within the first 45 days.
Can I find out who received my data under the DPDPA?
Yes, at the category level. Under section 12D-104(a)(5), a Delaware consumer may obtain a list of the categories of third parties to which the controller has disclosed the consumer's personal data, such as advertising networks or analytics vendors. Delaware discloses categories of recipients rather than every individually named company.
How do I opt out of targeted advertising or the sale of my data in Delaware?
Under section 12D-104(a)(6), you may submit an opt-out request to the controller for targeted advertising, the sale of personal data, and significant-effect profiling. As of January 1, 2026, under section 12D-106(e), controllers that run targeted advertising or sell data must also honor a universal opt-out preference signal such as Global Privacy Control sent automatically by your browser or device.
What is the universal opt-out mechanism in Delaware?
It is a browser or device signal, such as Global Privacy Control, that automatically tells every website you visit that you are opting out of targeted advertising and the sale of your data. Under section 12D-106(e), controllers must recognize this opt-out preference signal as of January 1, 2026, so you can set one signal instead of clicking an opt-out on each site.
Can I appeal if a business denies my DPDPA request?
Yes. Under section 12D-104(d), controllers must provide a conspicuous appeal process similar to the original request process. The controller must respond to an appeal within 60 days with a written explanation, and if it denies the appeal it must give you a way to submit a complaint to the Delaware Department of Justice.
Does the DPDPA protect teenagers?
Yes. Under section 12D-106(a)(7), where a controller has actual knowledge or willfully disregards that a consumer is at least 13 but younger than 18, it may not use that consumer's data for targeted advertising or sell the data without consent. This makes the default for 13-to-17-year-olds opt-in rather than opt-out for those activities.
Can I sue a business under the DPDPA?
No. Under section 12D-111(d), the DPDPA does not create a private right of action. The Delaware Department of Justice has exclusive enforcement authority under section 12D-111 and can seek civil penalties of up to $10,000 per violation. Consumers who believe their rights were violated can submit a complaint to the Department of Justice.
Sources and References
- Del. Code tit. 6, ch. 12D: Delaware Personal Data Privacy Act (Full Chapter)(delcode.delaware.gov).gov
- Del. Code tit. 6, § 12D-104: Personal Data Rights of Consumers(delcode.delaware.gov).gov
- Del. Code tit. 6, § 12D-106: Responsibilities of Controllers and Universal Opt-Out(delcode.delaware.gov).gov
- Del. Code tit. 6, § 12D-102: Definitions (Sale, Consent, Profiling)(delcode.delaware.gov).gov
- Del. Code tit. 6, § 12D-111: Enforcement by the Department of Justice(delcode.delaware.gov).gov
- Delaware Department of Justice: Personal Data Privacy Portal(attorneygeneral.delaware.gov).gov
- Delaware DOJ: Personal Data Privacy Act Frequently Asked Questions(attorneygeneral.delaware.gov).gov